How can an attacker obtain a Net-NTLM hash in a network environment?

Attackers can capture Net-NTLM hashes by performing a man-in-the-middle (MITM) attack using tools like Responder (Python) or Inveigh (PowerShell). When a client attempts to authenticate to a server (e.g., via SMB), the attacker intercepts the challenge and response, extracting the Net-NTLM hash. Alternatively, an attacker can force an outbound NTLM authentication request from a target (e.g., via a malicious SMB share or a link in an email) to a controlled system, thereby capturing the hash. The extracted hash can then be cracked offline with tools like Hashcat.